Share this Page

UrlScan 3.0 Aims To Block SQL Injection Attacks

By Kurt Mackie

08/25/08

Microsoft has released an improved security filter for its Internet Information Services (IIS) Web server that is designed to help thwart SQL injection attacks. The free application, called UrlScan 3.0 (Release-to-Web version), is an add-on tool to IIS that provides real-time verification of HTTP server requests, potentially blocking malicious code.

SQL injection attacks have become worldwide problem in the last eight months or so. They affect Web sites built using Microsoft's widespread ASP or ASP.NET code, or code enabling dynamic Web sites.

In June, Microsoft issued Security Advisory 954462, explaining that the SQL injection attack problem did not lie with SQL Server per se. Rather, poor security practices in Web applications are to blame, company officials explained.

A SQL injection attack is a direct attack on SQL Server by means of malicious code in a query string, which is passed to SQL Server through an Internet application. If the right safeguards are not in place, the code could be executed by Microsoft SQL Server, causing havoc on the Web site's back end.

UrlScan has been available for about five years, but Microsoft added some new features in Version 3.0. Perhaps the most important improvement is that UrlScan 3.0 provides support for query string scanning.

For technical reasons, previous versions of UrlScan did not examine the query string in the server request. Instead, UrlScan Version 2.5 blocked server requests based on aspects such as URL string length, according to Wade Hilmo, Microsoft's senior development lead on the IIS product team, the team that wrote UrlScan.

"In [UrlScan] 3.0, we added the ability to do filtering based on the query string, in addition to the URL," Hilmo said. "We also added the ability to create more granular rules that can be targeted to specific types of requests. For example, you can write a rule that only applies to ASP pages or PHP pages, which is something you would never be able to do in UrlScan 2.5."

Another improvement for developers is the ability to specify a safe list of URLs and query strings that can bypass UrlScan checks. In addition, Version 3.0 uses W3C-formatted logs for ease of analysis.

Version 3.0 of UrlScan is compatible with the configuration files administrators used with Version 2.5, so those settings are retained on an upgrade to a production server. Microsoft also added support for 64-bit IIS processes with this version.

Those using Microsoft's latest Web server, IIS 7.0, already have UrlScan 2.5 features built into a component of IIS called the Request Filter, Hilmo said. Microsoft plans to update IIS 7 in the future to add the new features in UrlScan 3.0 to IIS 7.0, according to Hilmo's blog.

UrlScan 3.0 is by no means a Web security cure all. Hilmo described it as a "stopgap measure" that can be used to protect the server. Security ultimately needs to be enforced in the Web application itself.

"Really the application running on the server is the only piece of code that actually knows what the SQL query is intended to do," Hilmo explained. "So the fix for the root cause is for application developers to go in and do the validation and make sure that the SQL data that they are sending to the SQL Server is what they intend."

He pointed people to Microsoft's articles on best practices for Web application development to learn how to guard against attacks.

A couple of resources are available on the Microsoft Developer Network Web site: